Just before leaving for SANS last week, I was hit up and told that we need to implement our own home-grown phishing tests. My first thought was "crap, gotta build a box, write code, run tests, maintain code, etc"...

Well, I went to a phishing lunch and learn at the conference, and found out about the PhishMe company/service. I like the idea of it, and I'm try to get approval to move forward with a demo, HOWEVER, cost is always an object. We got an initial quote, and it's probably going to be difficult to get funding.

Which, puts me back at building my own solution. As I was looking up reviews on PhishMe, there were mentions in articles about scripts and programs in the open source community that assist in phishing tests, but my google-foo is not up to snuff this morning and I'm coming up blank.

So, I'm putting out a call to anyone with information on building a platform for this. What scripts/programs/frameworks do you utilize to perform phishing exercises?

I've been playing around with a BT5 VPS instance from hackingmachines.com (in beta) and that is really all I needed. SET using Sendmail is an amazing tool and I've been having lots of fun lately. In fact I just demonstrated to a client last week that I could spoof messages to him that looked like they were coming from his boss and he could not tell the difference (had to harvest an example with boss's signature line first) I sent him an email telling him he was being transferred to their office in Bogota. They don't have an office in Bogota ;P Imagine the fun you could have just issuing instructions to staff. No need to hack anything, just go all HBGary on them and ask for the SSH credentials

tturner wrote:I've been playing around with a BT5 VPS instance from hackingmachines.com (in beta) and that is really all I needed. SET using Sendmail is an amazing tool and I've been having lots of fun lately. In fact I just demonstrated to a client last week that I could spoof messages to him that looked like they were coming from his boss and he could not tell the difference (had to harvest an example with boss's signature line first) I sent him an email telling him he was being transferred to their office in Bogota. They don't have an office in Bogota ;P

I've been considering a VPS for awhile now and I think I was just persuaded!

tturner wrote:No need to hack anything, just go all HBGary on them and ask for the SSH credentials

We normally just run SET for these types of engagements. If you can base your template off of one of their existing internal emails that is your best option. Back-up plan, make it more of a generic announcement ("Please update your employee benefit options."), and when you construct the email and phishing web page go to the targets home webpage and mimic their font, color schemes, logos, etc.

pseud0 wrote:We normally just run SET for these types of engagements. If you can base your template off of one of their existing internal emails that is your best option. Back-up plan, make it more of a generic announcement ("Please update your employee benefit options."), and when you construct the email and phishing web page go to the targets home webpage and mimic their font, color schemes, logos, etc.

A colleague of mine recently did something similar. However, he created an URL similar to famous social networking site. The organization had a URL filtering software in place and the spoofed site could not be accessed by the users. Something to keep in mind.

If they already have controls in place to block traffic from going to web sites of different types, and you make a page that is similar to them, you're probably going to get blocked. That's why I recommended copying their own corporate home page. I'd be slightly surprised to see someone blacklisting their own site.